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ITS THE FUTURE BAYBEEEEEE 
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Where to From Here Cap'n? 


e Background 

e The Scanning Problem 

e Honeypotting for PSLAAC 
e Modeling for non-PSLAAC 


e Being Less Dumb 


To The Cloud 
Results 


IPv666 


Conclusion 


A Bit ο’ Background 


IPv6 - So Hot Right Now 


Native: 26.86% 6to4/Teredo: 0.00% Total IPv6: 26.87% | Маг 16, 2019 
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A Tale of Gateways and Set Top Boxes 

e DEFCON 25 

e 26 CVES 

e All in consumer premise equipment (CPE) 


e le: Comcast gateways and set top boxes 


e |Pv6 was a big part 


e https://github.com/BastilleResearch/CableTap 


Send-to-TV / Remote Web UI 


e Gateway web UI accepts remote 
requests from ISP infrastructure 


e |Pv6 address of target gateway 
provides remote web UI access via 
set-top box 


seems Kinda Spooky 


e _IPVv6 works out of the box without manual configuration 
e All your devices and networking equipment prefer it 
e There's no such thing as private address space (for the most part) 


e Your ІРу4 firewall rules don't apply 


e  |CMPv6 is a critical protocol 


e Single packets can be relayed to lots and lots of hosts 


Let's Go Hunting 


The Problem of Scale 


e ІРу4 
32 bit addresses 
232 possible addresses 


4,294 967,296 addresses 


e |Pv6 
128 bit 
2^128 possible addresses 


340,282,366,920,938,463,463,374,607,431,768,211,456 addresses 


PSLAAC Makes Things Harder 


псцисок IUT νουµησηιν. 4741 оп могрогахлон 
Obsoletes: 3041 R. Draves 
Category: Standards Track Microsoft Research 
S. Krishnan 

Ericsson Research 

September 2007 


Privacy Extensions for Stateless Address Autoconfiguration in IPv6 
Status of This Memo 


This document specifies an Internet standards track protocol for the 
Internet community, and requests discussion and suggestions for 
improvements. Please refer to the current edition of the "Internet 
Official Protocol Standards" (STD 1) for the standardization state 
and status of this protocol. Distribution of this memo is unlimited. 


Figure 3-2 Basic IPv6 Address Format 
X:X:X ХХХ ХІ 


Prefix Interface 
ID 


Subnet 
ID 


Example: 
2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b 


Site Subnet Interface 
Prefix ID ID 


Addresses have host and network bits 


Network is site prefix and subnet ID 
Host is interface ID 


PSLAAC means interface ID is 
pseudorandom 


Even "small" networks (/96) have 32 
bits of randomness 


Breaking Down the Problem 


e Modeling for cryptographic entropy is 
no bueno 


e Two independent problems instead 


o Identifying PSLAAC hosts 
o Identifying non-PSLAAC hosts 


LET'S BREAK IT 
DOWN 


Honeypotting for PSLAAC 


Why Honeypotting? 


Search space too massive 
Instead of finding them, have them find us 
Took multiple approaches 


o DNS Server 
o SMTP Server 
o Web Server 


Popads! 


Honey DNS Server 


e Setup Bind server e Post links all over social media 


e Glue records point to IPv6 e Popads! 


e Zones delegated to IPv4 then IPv6 


queries.log 
© e Count 

150,000 
Е 100,000 
2 
o 
15) 

50,000 | | 

2017-12-31 2018-01-31 2018-02-28 2018-03-31 


2018-04-30 2018-05-31 2018-06-30 2018-07-31 2018-08-31 2018-09-30 2018-10-31 


timestamp per week 


A Quick Note on PopAds 


access.log 


800 © @ Count 


ом. 


21:37:45 21:38:00 21:38:15 21:38:30 21:38:45 21:39:00 21:39:15 21:39:30 21:39:45 
timestamp per second 


Honey Web Server 


с 


v6 Kitten 
ats Cats Cats 
shark shark shark 


Set up best site ever at 
http://ipv6.exposed/ 


Available over IPv6, some other 
shenanigans for forcing IPv6 


WebRTC for IP address enumeration 
Post all over social media 


Popads! 


Honey Web Server (cont'd) 


@ Count 


timestamp per week 


Honey SMTP Server 


e Setup SMTP server 

e Have our DNS honeypot point to it Ma | [Ba | [Θ 
e Sign up for ALL THE THINGS 

e Use MailBait to sign up for spam 


e Mega womp womp 


oweet(?) Honey Results 


a -— 
e 92,609 unique IP addresses over ~10 months 


e Cost $500+ 


e Lost focus, but still suboptimal 


AND THEN... 


Lol... 


Internet Draft H. Kitamura 
«draft-kitamura-ipv6-ephemeral-address-00.txt» NEC Corporation 
S. Ata 


Osaka City University 

M. Murata 

Osaka University 

Expires June 2009 October 20, 2008 


IPv6 Ephemeral Addresses 
«draft-kitamura-ipv6-ephemeral-address-00.txt» 


Status of this Memo 


By submitting this Internet-Draft, each author represents that any 
applicable patent or other IPR claims of which he or she is aware 

have been or will be disclosed, and any of which he or she becomes 
aware will be disclosed, in accordance with Section 6 of BCP 79. 


Modeling for Non-PSLAAC 


Structure in IPv6 Addresses 


2001: 
2001: 
2001: 
2001: 
2001: 
2001: 
2001: 
2001: 
2001: 
2001: 
2001: 
2001 
2001 
2001: 
2001: 
2001 
2001: 
2001: 
2001: 
2001 
2001 
2001 
2001 
2003: 
2003: 
2400: 


1284:£01c:2c0a: 8238: bcff : fed3:4e03 
1498:1::32:48 
1658:101:3175:а96:47ЕЁ:Ёе7е:с4аа 
1658:6100:0:3631:с4ҒҒ:Ғе14:3472 
1890:1Ғ8:46::1:6 
1bc8:1004::2:0:99 

260:450:7b::4 

41d0:2:275b::182 

4140:2:3477:: 

4998:44:6027::2005 

4b78:2::f06b 


:558:370:ba::1 
:579:6£03:600:c0b3:b230:5c3:d£35 


610:1а0:30::2 
638:708:30da:eal1:32ff:fe70:8ae6 


:848:921:с500::70:18е1 


980:6972::1 
Ьс8:2800:3644:87Ғ9:1еҒ0:8а7а:с21Ғ 
е42:102:1819:160:16:234:111 


:ее0:4041:37а5:8асҒ:98ҒЕ:Ғее7:Ғес 
:ee0:4140: :1230:2502:7004 

:ee0:4501:5062:1894:5a03:9cc3:216f 
:ee0:5500:8b5a:585d:c4la:7a09:f73a 


0:2e02:1050::1 
5a:4049::1 
6180:100:d0: :34:8001 


2400 
2400 
2400 
2400 
2404 
2406 
2406 
2407 
2600 
2600 
2600 
2600 
2600 
2600 
2603 
2604 
2605 
2606 
2620 
2620 
2800 
2800 
2800 
2800 
2800 
2800 


:8500:1302:803:133:130:127:180 
:b800:1:1::18 
:cb00:2048:1::6810:7166 
:cb00:2048:1::6818:d3a 
:6800:4007:801::2003 
:da00:££00::1715:7892 
:e00:120:391c:0:30:ab4:4f40 
:500::2:5a9:b7bf 
:0:2:1239:144:232:2:85 
:3c00::f03c:91ff:feae:eelc 
:3c00::f03c:91ff:fedf:426 
:3с03::Ғ03с:91ҒҒ:Ғе79:е1а4 
:3с03::Ғ03с:91ҒҒ:Ғеа1:4761 
:3с03::Ғ03с:91ҒҒ:Ғеа2:42с7 
:3006:103с:Ь000::17Ғ6 
:2480:4030:0:91с2:с016:2329:7219 
:de00:1:1:4a:32:0:23 
:b400:8808:£000::a022:fa6d 
:11:0:c2b4:749a:46bf:291:38cf 
:8d:0:7£47: :d827:7£47 
:370:2:418а:5843:44с8:13а8:8768 
:370:2:9724:444а:а203:9492:3353 
:370:44:256d:5950:a£b3:7627:10£4 
:370:55:3с60:404а:4212:4944:4477 
:370:55:b9c6: 70b1: 9c61 : 69e : 2b02 
:370:61:11dc:e57£:1804:a456:eddc 


2800 
2800 


2800 


2804 


2804 


2a01 


2a01 


2a02 


2a02 


2a02 


:370:84:0:d0bd:6968:d1ae:d26£ 
:370:84:bba1:857c:£02d:cd6c:cd51 
2800: 


370:a:ae43:79b9:348b:3c0:8c7b 


:4£0:1:ecd5:dd66:8006:1203:be04 
2800: 
2803: 
2804: 


4£0:62:850c:92d:85a1:3431:a7b8 
c300::2 
14d:1a87:0:7815:7414:e01:dd02 


:14d:8e8c:1000:b42£:9577:7£bb:778b 
2804: 


2920:1:;5 


:a8:2:c8::12a 
2806: 
2806: 
2a00: 
:488:42:1000:50ed:8479:33:339a 
2a01: 
:5a60:3::92 
2a01: 
2a01: 
2a02: 
:26£0:d£:202:e3cc:80db:ebaa:3e93 
2a02: 
2a02: 
2a02: 
:8108:0:12:587b:b48e:e629:436b 
2a02: 
:810d:8000:29:e8b0: 6937: 7ddd: e597 


102e:9:5055:272:63ff:fe83:e620 
108e:c:2e3:7279:90ff:fe9c:2a07 
d0c0:200:0:b9:1a:9c36:20c 


488:42:1000:50ed:84f5:1c:ff1f 
7с8:4002:1с::1 
а8:4с0:330:1::1с54 
2028:80c:e900::1 
6b8:0:161b:ec4:7aff:fe18:c48 

6b8 :b000:63a:96de:80ff:fe81:1258 
6b8 :b000:6509:215:b2ff:fea9:66fa 


8108:8000:21:2864:5009:d4d2:36£0 


MACHINE LEARNING BAYBEEEE 


e Model is a compact representation of 
data set 


Cross section of Human Eye 


e Projection through model creates new 
data set with error % 


e Errors are representative of structure in 
ЇРуб addresses 


e Hopefully find new addresses 


lol jk 


e All attempts resulted in over- 
fitting 


e Projected addresses were the 
same as our input addresses 


e We're not ML experts sooooo.... 


The Entropy/IP Paper 


H — Entropy (per nybble) 
64 80 96 112 128 


0 16 32 48 
Prefix length / Hex char location (bits) 


(b) 4 B C DEFGH! 2 к 
η Ta 
г ЯН 
i mE: ΙΒ 
=н | 1 
7 : 1 


e.g. 2001:0db8 :0022:1048:17ec:d7eb:19b0:dfe4 ! 


| 
(c) a 8 C DEF П 4 : 


Prebabilty 
SSE с 
RE Қ; 

Е 

i 

E 


e.g. 2001:0db8:0010:0013:0000:0000:0000:055d 


Figure 1: Entropy/IP's user interface displaying an 
analysis of a Japanese telco prefix with 24K active client 
IPs. Entropy by nybble plotted in (a). In (b). we select 
the 00000... value (60%) for segment J by mouse click, 
resulting in updated probabilities in (c) (e.g., 100%). 


http://www.entropy-ip.com/ 
Really interesting paper from Akamai 


Maps entropy of different segments of IPv6 
addresses 


Big takeaways: 


о Not THAT much entropy in non-PSLAAC IPs 
o Simpler modeling might work better 


Dumbing Things Down (Modeling) 


2800: 4£0:80: £662: 880b: 6c2£:c£59:662b 
її! Break down into 32 nybbles 
0x2, 0x8, 0x0, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0х6, 


1 1, Count occurences by position апа nybble 


Dumbing Things Down (Prediction) 


0х2 
Position 0 


р(0х0) => 0.05 
р(0х1) => 0.05 
p(0x2) => 0.01 
р(0х3) => 0.09 
p(0x4) => 0.00 
p(0x5) => 0.15 
p(0x6) => 0.05 Osa 

i А А р(0х7) => 0.09 

probabilities[0][0x2] p(0x8) => 0.00 positi 1 

р(0х9) => 0.06 osition 
p(0xa) => 0.15 
р(0хр) => 0.09 
р(0хс) => 0.06 
р(0х4) => 0.10 
р(0хе) => 0.03 
p(0xf) => 0.02 


Looks Promising... TOO PROMISING 


e Generated 10mm addresses 


e After scanning, over 50k responded 
to ICMP probes 


e WOW WE TOTES SOLVED THE 
PROBLEM!!! ZOMG CELEBRATION 
TIME!!! 


Enter Aliased (ie: Jerk) Networks 


e Network ranges where every IP address 
responds to ICMP pings 


e Why?? Because they're jerks 


e Not great for scanning 


e Even worse for statistical modeling 


Identifying Aliased Networks (Initial) 


2800:4f0:80:£f662:880b:6c2f:cf59:662b 


2800:4£0: 


2800:4£0:80:£662:880b:6c2f: 
2800:4£0:80:£662:880b:6c2f: 
2800:4£0:80:£662:880b:6c2f: 
2800:4£0:80:£662:880b:6c2f: 


2800:4£0: 


1, Wrap іп /96 network 


80: £662: 880b: 6c2f£:cf59:662b/96 


fed3:4e03 
eb83:9376 
8924: £2f6 
7949: 73486 


i Generate eight addresses in network 


2800:4£0:80:£662:880b:6c2£:5676:£7bb 
2800:4£0:80:£662:880b:6c2£:a286:ad59 
2800:4£0:80:£662:880b:6c2£:bb7d:6d0a 
2800:4f£0:80:£662:880b: 6c2f: 8e3e:4fd4 


i ICMP scan 


1 If 50% of addresses respond, net is aliased 


80:f662:880b:6c2f:cf59:662b/96 


Identifying Aliased Networks (Network Size) 


2800:4£0:80:£662:880b:6c2£:c£59:662b 


n Map to bits 


0010100000000000:0000010011110000:0000000010000000:1111011001100010:1000100000001011:0110110000101111:1100111101011001:0110011000101011 


Unknown Aliased 
Ц Flip right half of unknown bits 


0010100000000000:0000010011110000:0000000010000000:0000100110011101:0111011111110100:1001001111010000:1100111101011001:0110011000101011 


li ICMP scan 


Identifying Aliased Networks (Network Size cont'd) 


ll ICMP scan 


No response received 72 Мм Response received 


Left bits are not aliased, Flipped bits are aliased, 
flipped bits are unknown ll left bits are unknown 


Rinse and repeat 


0010100000000000:0000010011110000:0000000010000000:1111011001100010:1000100000001011:0110110000101111:1100111101011001:0110011000101011 


Not Aliased Unknown Aliased 


0010100000000000:0000010011110000:0000000010000000:1111011001100010:1000100000001011:0110110000101111:1100111101011001:0110011000101011 


Unknown Aliased 


Getting Less Dumber 


6gen 


Target Generation for Internet-wide IPv6 Scanning 


Austin Murdock!”, Frank 1472, Paul Bramsen!, Zakir Durumeric?, Vern Paxson!” 


{austinmurdock, frankli, paulbramsen, vern}@berkeley.edu, zakir@icsi.berkeley.edu 


1 University of California, Berkeley 
ABSTRACT 


Fast IPv4 scanning has enabled researchers to answer a wealth 
of new security and measurement questions. However, while in- 
creased network speeds and computational power have enabled 
comprehensive scans of the IPv4 address space, a brute-force ap- 
proach does not scale to IPv6. Systems are limited to scanning a 
small fraction of the IPv6 address space and require an algorithmic 
approach to determine a small set of candidate addresses to probe. 
In this paper, we first explore the considerations that guide design- 
ing such algorithms. We introduce a new approach that identifies 
dense address space regions from a set of known “seed” addresses 
and generates a set of candidates to scan. We compare our algorithm 
6Gen against Entropy/IP—the current state of the art—finding that 
we can recover between 1-8 times as many addresses for the five 
candidate datasets considered in the prior work. However, during 
our analysis, we uncover widespread IP aliasing in IPv6 networks. 
We discuss its effect on target generation and explore preliminary 
approaches for detecting aliased regions. 


? International Computer Science Institute 


and Masscan [18] have fundamentally enhanced the ability of re- 
searchers to conduct wide-ranging assessments of Internet ser- 
vices, including the use of cryptography in practice [4], uncovering 
network administrator behaviors [21], and tracking vulnerability 
remediation [11]. 

These tools leverage the density and limited size of the IPv4 
address space: today's scanning speeds are such that it is feasi- 
ble to exhaustively enumerate all possible IPv4 addresses in order 
to conduct comprehensive scans. However, as has long been rec- 
ognized [3], IPv6's much larger address space renders exhaustive 
probing completely infeasible. This then raises the question for mea- 
surement researchers of how to obtain at least a degree of global 
IPv6 address visibility somewhat comparable to the comprehensive 
IPv4 visibility provided by tools such as ZMap. 

While prior work has developed sophisticated techniques for 
inferring the underlying structure of how IPv6 network operators 
assign addresses in their networks [14], and, separately, for how 
to leverage IPv6 address assignment policies to abet network re- 


connaissance [17], the question of how to employ these insights to 
ТАЛПЫ лал aBaativen 1АЛ АТ Mul annnninw uamaina 


Published in 2017 out of UC 
Berkeley 


Improves upon the Entropy/ 
IP paper with a new 
clustering algorithm 


IPv6 Address Clusters 


e Ап ІРу6 address cluster is defined as an IP address and a set of wild card 
nybble indices 


e Acluster's utility is based on its... 


o Capacity - How many possible addresses are in the cluster? 
o Density - How many of the cluster's IPs are in the input data set? 


IPv6 Address Clusters (Example) 


2800:4£0:80:£662:880b:6c2£:c£59:662b 


2 


0х0, 0х0, Ox4, Oxf, 0х0, 
0x4, Oxf, 0x0, 0x0, 0x0, 


0x0, 0x0, 0x8, 0x0, Oxf, 0x6, ... 
0x8, 0x0, Oxf, 0x6, ... 


0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0х0, 


Capacity Captured Density 
2 12.5% 


16 


Oxf, 0x6, ... 


IPv6 Address Clusters (Example) 


0х2, ???, 0x0, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 


0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 
0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 


0x2, 0x0, 0x0, 0x4, Oxf, 0x0, 0x0, 0x0, 0x8, 0x0, Oxf, 0x6, 


Original Algorithm 


e For every IPV6 address 


+ A5MM 
| m 
o Create a cluster of size 1 m 


o Add upgraded cluster to cluster set 
Not intended to identify new addresses 


o Take the next best upgrade 
o Evaluate best cluster upgrades with adding only one wildcard 


ded cluster to the cluster set 
“XPeNsivey 


666gen Generation 


e Select a cluster from cluster set at random 
e Foriin 0.32 
o Roll a weighted die to determine nybble source 
m Generate from stardust probability distribution 
m Generate from selected cluster 


Fanning Out 


e Fan-out to discover addresses similar to 
those generated with modeling 


e Addresses with a 1-nybble difference from 
a newly discovered address 


e  Sequentially-neighboring /64 networks and 
hosts 


(Ge) 


Ў 


Nybble-Adjacent Fanout 


e For each discovered address, generate up to 
465 candidate addresses, each differing by 
one nybble 


e 15-465 addresses are generated depending 
on the target network mask 


e Target network 
2000::/4 


e Starting IP address 
2001:0558:0110:0000: ££££:££££:0000:0021 


Nybble-Adjacent Fanout 


e For each discovered address, generate up to 2001:0558:0110:0000:ffff:ffff:0000:0020 
465 candidate addresses, each differing by 
one nybble 


e 15-465 addresses are generated depending 
on the target network mask 


e Target network 
2000::/4 


e Starting IP address 
2001:0558:0110:0000: ££££:££££:0000:0021 


Nybble-Adjacent Fanout 


e For each discovered address, generate up to 2001:0558:0110:0000:ffff:ffff:0000:0020 
465 candidate addresses, each differing by ааа UD 000070024 
one nybble 


e 15-465 addresses are generated depending 
on the target network mask 


e Target network 
2000::/4 


e Starting IP address 
2001:0558:0110:0000: ££££:££££:0000:0021 


Nybble-Adjacent Fanout 


e For each discovered address, generate up to 2001:0558:0110:0000:ffff:ffff:0000:0020 
465 candidate addresses, each differing by URE MOSS PRE D CU си 
2001:0558:0110:0000:ffff:ffff:0000:0023 


one nybble 
e 15-465 addresses are generated depending 


on the target network mask 


e Target network 
2000::/4 


e Starting IP address 
2001:0558:0110:0000:ffff:ffff:0000:0021 


Nybble-Adjacent Fanout 


e For each discovered address, generate up to 
465 candidate addresses, each differing by 
one nybble 


e 15-465 addresses are generated depending 
on the target network mask 


e Target network 
2000::/4 


e Starting IP address 
2001:0558:0110:0000:ffff:ffff:0000:0021 


2001: 
2001: 
2001: 


2001: 


0559: 
0558: 
0558: 


0558: 


0:0000: 
0:0000: 
0:0000: 


:0000: 


:0000: 
: 0000: 
:0023 


:0000 


:0000: 


0020 
0022 


002Ё 


Nybble-Adjacent Fanout 


e For each discovered address, generate up to 
465 candidate addresses, each differing by 
one nybble 


e 15-465 addresses are generated depending 
on the target network mask 


e Target network 
2000::/4 


e Starting IP address 
2001:0558:0110:0000:ffff:ffff:0000:0021 


2001: 
2001: 
2001: 


2001: 


0559: 
0558: 
0558: 


0558: 


0:0000: 
0:0000: 
0:0000: 


:0000: 


:0000: 
: 0000: 
:0023 


:0000 


:0000: 


0020 
0022 


002Ё 


Nybble-Adjacent Fanout 


e For each discovered address, generate up to 
465 candidate addresses, each differing by 
one nybble 


e 15-465 addresses are generated depending 
on the target network mask 


e Target network 
2000::/4 


e Starting IP address 
2001:0558:0110:0000:ffff:ffff:0000:0021 
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2001: 
2001: 


2001: 
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2201: 
2301: 
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0558: 
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0:0000: 
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LL НЕ ЕЕ Не 


LLALL è 


20021 
:0021 
:0021 


:0021 


:0020 
:0022 
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/64 Sequential Fanout 


e Sequentially fan out from each 
discovered ::1/64 address 


e /64 networks 


o  Neighboring ::1/64 addresses (sequentially 
increasing and decreasing) 


e Hosts within a /64 


o  Neighboring ::X/64 addresses (sequentially 
increasing) 


e Target IP Address 
2001:0558:0110:2fab::1 


/64 Sequential Fanout 


e Sequentially fan out from each 
discovered ::1/64 address 


e /64 networks 


o  Neighboring ::1/64 addresses (sequentially 
increasing and decreasing) 


e Hosts within a /64 


o  Neighboring ::X/64 addresses (sequentially 
increasing) 


e Target IP Address 
2001:0558:0110:2fab::1 


Neighboring /64 networks: 


2001: 
20014 
20014 
2001: 


0558: 
(1558: 
0558: 
0558: 


0110: 
0110: 
0110: 
0110: 


4fa9:: 
4faa:: 
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/64 Sequential Fanout 


e Sequentially fan out from each 
discovered ::1/64 address 


e /64 networks 


o Neighboring ::1/64 addresses (sequentially 
increasing and decreasing) 


e Hosts within a /64 


o  Neighboring ::X/64 addresses (sequentially 
increasing) 


e Target IP Address 
2001:0558:0110:4fab::1 


Neighboring /64 networks: 


2001: 
20014 
20014 
2001: 


0556: 
05585 


0558 


0110: 
2110: 


“0110 
0559. 


0110: 


4fa9:: 
4faa:: 
4Тас:: 
4fad:: 


Neighboring /64 hosts: 


2001:0558:0110:4fab:: 
2001055870110; 4fab:: 
2001:0558: 0110:4fab: 5 
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Is Us Smarter? 


Improved Discovery Rate 


v0.2 v0.3 
e 58,838 addresses found in eight e 1.57M addresses found in one 
days, ~80% not found in public hour, ~78% not found in public 
data sets data sets 
e 0.068 new IPs / second e 342.19 new IPs / second 


503,234% Improvement 


MOAR RESULTS 


e Port scanned ~100K addresses 
from the newly discovered set, 
testing some common ports 


e Lots of network equipment (both 
infrastructure and CPE) 


е No-auth Mongo instances 


e Lots of ancient SSH and telnet 
servers 
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To The Cloud 


Crowdsourced Scan Data 


e How can we make this data more 


accessible? 


e Users of IPv666 optionally push scan 


results to the cloud 


e Scan results are aggregated into a 


queryable datastore 


IPv666 Online Portal 


e Online portal where users can query the 
crowdsourced scan result set 


e «placeholder for link to online portal» 


IPv666 


Official v0.4 Release! 


e Install with go get: 
go get github.com/lavalamp-/ipv666/ipv666 


e Push crowdsourced scan results to the cloud 


Was Ist Das? 


ipv666 is а set of tools that enables the discovery of IPv6 addresses both in the global IPv6 address space and in more 
narrow IPv6 network ranges. These tools are designed to work out of the box with minimal knowledge of their workings. 


The tools included in this codebase are as follows: 


* scan discover - Locates live hosts over IPv6 using statistical modeling and ICMP ping scans 

e scan alias - Tests a single IPv6 network range to see if the network range is aliased 

* generate addresses - Generate IPv6 addresses based on the content of a probabilistic clustering model 

* generate model - Generate a probabilistic clustering model based off an input set of IPv6 addresses 

* generate blacklist - Adds the contents of a file containing IPv6 network ranges to the aliased network blacklist 
* clean - Cleans the contents of a file containing IPv6 addresses based on an aliased network blacklist 


* convert - Converts the contents of a file containing IPv6 addresses to another IP address representation 


scan discover 


This utility scans for live hosts over IPv6 based on the network range you specify. If no range is 
specified, then this utility scans the global IPv6 address space (e.g. 2000::/4). The scanning process 
generates candidate addresses, scans for them, tests the network ranges where live addresses are found 
Тог aliased conditions, and adds legitimate discovered IPv6 addresses to an output list. 


Usage: 
ipv666 scan discover [flags] 


Flags: 
-h, —-help help for discover 
-0, --output string The path to the file where discovered addresses should be written. 


-t, --output-type string The type of output to write to the output file (txt or bin). 


Global Flags: 
-b, --bandwidth string The maximum bandwidth to use for ping scanning 
-f, --force Whether or not to force accept all prompts (useful for daemonized scanning). 
-1, --log string The log level to emit logs at (one of debug, info, success, warn, error). 
-n, —-network string The IPv6 CIDR range to scan. 


scan alias 


A utility for testing whether or not a network range exhibits traits of an aliased network range. 
Aliased network ranges are ranges in which every host responds to a ping request, thereby making it 
look like the range is full of IPv6 hosts. Pointing this utility at a network range will let tell you 
whether or not that network range is aliased and, if it is, the boundary of the network range that is 
aliased. 


Usage: 
ipv666 scan alias [flags] 


Flags: 
-h, --help help for alias 


Global Flags: 
-b, --bandwidth string The maximum bandwidth to use for ping scanning 
-f, --force Whether or not to force accept all prompts (useful for daemonized scanning). 
-1, --log string The log level to emit logs at (one of debug, info, success, warn, error). 
-n, --network string The IPv6 CIDR range to scan. 


generate addresses 


This utility will generate IPv6 addresses in target network range (or in the global address 
space) based on the default included cluster model or a cluster model that you specify. 


Usage: 
ipv666 generate addresses [flags] 


Flags: 
-с, --соипі int The number of IP addresses to generate. (default 1000000) 
-h, --help help for addresses 
-m, —-model string Local file path to the model to generate addresses from (if empty, 


uses the default model packaged with ipv666). 

-n, --network string The address range to generate addresses within (if empty, generates 
addresses in the global address space of ::/0). 

-0, --out string File path to where the generated IP addresses should be written. 


Global Flags: 
-f, --force Whether or not to force accept all prompts (useful for daemonized scanning). 
-l, --log string The log level to emit logs at (one of debug, info, success, warn, error). 


generate model 


This utility will generate a predictive clustering model based on the contents of 
an IPv6 address file. 


Usage: 
ipv666 generate model [flags] 


Flags: 
-h, --help help for model 
-і, --input string Ап input file containing IPv6 addresses to use for the model. 
-0, —-out string The file path to write the resulting model to. 


Global Flags: 


-f, --force Whether or not to force accept all prompts (useful for daemonized scanning). 
-l, --log string Тһе log level to emit logs at (one of debug, info, success, warn, error). 


generate blacklist 


This utility takes a list of IPv6 CIDR ranges from a text file (new-line delimited), 
adds them to the current network blacklist, and sets the new blacklist as the one to use 
for the 'scan' command. 


Usage: 
ipv666 generate blacklist [flags] 


Flags: 
-h, --help help for blacklist 
-i, --input string An input file containing IPv6 network ranges to build a blacklist from. 


Global Flags: 


-f, --force Whether or not to force accept all prompts (useful for daemonized scanning). 
-l, --log string The log level to emit logs at (one of debug, info, success, warn, error). 


clean 


This utility will clean the contents of ап IPv6 address file (new-line delimited, standard ASCII hex 
representation) based on the contents of an IPv6 network blacklist file. If no blacklist path is 
supplied then the utility will use the default blacklist. The cleaned results will then be written to 
an output file. 


Usage: 
ipv666 clean [flags] 


Flags: 
-b, --blacklist string The local file path to the blacklist to use. If not specified, defaults to 
the most recent blacklist in the configured blacklist directory. 


-h, --help help for clean 
-i, --input string An input file containing IPv6 addresses to clean via a blacklist. 
-0, --out string The file path where the cleaned results should be written to. 


Global Flags: 


-f, --force Whether or not to force accept all prompts (useful for daemonized scanning). 
-l, --log string The log level to emit logs at (one of debug, info, success, warn, error). 


convert 


This utility will process the contents of a file as containing IPv6 addresses, convert those addresses 
to another format, and then write a new file with the same addresses in the new format. This 
functionality is (hopefully) intelligent enough to determine how the addresses are stored in the file 
without having to specify an input type. 


Usage: 
ipv666 convert [flags] 


Flags: 
-h, --help help for convert 
-i, --input string The file to process IPv6 addresses out of. 
-0, --out string The file path to write the converted file to. 
-t, --type string The format to write the IPv6 addresses in (one of 'txt', 'bin', 'hex'). 


Global Flags: 
-f, --force Whether or not to force accept all prompts (useful for daemonized scanning). 
-l, --log string The log level to emit logs at (one of debug, info, success, warn, error). 


Linky Links 


e ІРу666 Blog Post 
https://l.avala.mp/?p=285 


e ІРу666 GitHub Repository 
https://github.com/lavalamp-/ipv666 


Conclusion 


Background 

The Scanning Problem 
Honeypotting for PSLAAC 
Modeling for non-PSLAAC 


Being Less Dumb 


Results 


To The Cloud 
IPv666 


Conclusion 


Moar Links 


e Entropy/IP 
http://www.entropy-ip.com/ 


e 6gen 
https://zakird.com/papers/imc17-6gen.pdf 


e Clustering of IPV6 address structure 
https://arxiv.org/pdf/1806.01633.pdf 


e |Pv6 hitlist 
https://ipv6hitlist.github.io/ 


Q&A 


THANKS! 


Chris Grayson Marc Newlin 


@_lavalamp @marcnewlin 


